identify duplicate logs? #6903

juju4 · 2025-05-25T23:28:59Z

juju4
May 25, 2025

is there a way as efficient as possible to identify duplicate logs?
aka misconfigured source which send the same log multiple time (for example a daemon rereading full log file at each write...)
the _timestamp (collector received time) will likely be different while message time (in log) would likely be the same.

prabhatsharma · 2025-05-26T03:06:17Z

prabhatsharma
May 26, 2025
Maintainer

You can create a scheduled action to do this. Run it every 1 minute fetch the records, look for duplicates and generate an alert if you find a duplicate

1 reply

juju4 Jun 8, 2025
Author

I was less asking about the alerting than how to query efficiently.
counting on one field or _timestamp may not be enough to find all duplicates and not representative.

# ~60 results on a day
select * from (select _timestamp,count(*) as count_ from "journald" group by _timestamp)  where count_ > 1
# not necessarily real duplicate depending if timestamp in
select * from (select body_message,count(*) as count_ from "journald" group by body_message)  where count_ > 1
# more likely, ~150 in a day
select * from (select body_message,body__source_realtime_timestamp,count(*) as count_ from "journald" group by body_message,body__source_realtime_timestamp)  where count_ > 1

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

identify duplicate logs? #6903

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

identify duplicate logs? #6903

Uh oh!

juju4 May 25, 2025

Replies: 1 comment · 1 reply

Uh oh!

prabhatsharma May 26, 2025 Maintainer

Uh oh!

juju4 Jun 8, 2025 Author

juju4
May 25, 2025

Replies: 1 comment 1 reply

prabhatsharma
May 26, 2025
Maintainer

juju4 Jun 8, 2025
Author